| Author |
Message
|
| J.D |
 Posted: Thu Dec 09, 2010 2:32 pm Post subject: Domain Account Password |
 |
|
Voyager
Joined: 18 Dec 2009
Posts: 92
Location: United States
|
Hi,
We have few MQ servers running on Windows 2003 as MUSR_MQADMIN which is not a good practice. We are asked to run MQ with domain user replacing default user and the company policy is to change the password every six months. So when the password is changed, do we have to bring down MQ service and configure with new password or MQ automatically updates the new password?
Thank You!!!
_________________
IBM WebSphere MQ & WAS Administrator |
|
| Back to top |
|
 |
| mqjeff |
| Posted: Thu Dec 09, 2010 5:49 pm Post subject: |
|
|
Grand Master
Joined: 25 Jun 2008
Posts: 17447
|
MQ will not automatically update the password.
MQ doesn't even technically know the password.
The DCOMCFG knows the password... and there's nothing that automatically updates it.
Yes, you will have to stop all of the queue managers on a given machine in order to have them use the new password, after either rerunning the Prepare WebSphere MQ wizard or changing the password in DComCfg.
You will need to balance the impact of this against the security advantages it provides. |
|
| Back to top |
|
|
| gbaddeley |
| Posted: Thu Dec 09, 2010 8:04 pm Post subject: |
|
|
Jedi
Joined: 25 Mar 2003
Posts: 2494
Location: Melbourne, Australia
|
MUSR_MQADMIN is a service user which is only used by MQ internal processes. Normal company policy is to exempt these types of users from password expiry / password reset / password complexity requirements. The password is a random value generated by MQ at installation and does not ever need to be known by anyone or changed.
Why would you want to set it up as a domain user?
_________________
Glenn |
|
| Back to top |
|
|
| fjb_saper |
| Posted: Fri Dec 10, 2010 7:51 am Post subject: |
|
|
Grand High Poobah
Joined: 18 Nov 2003
Posts: 20696
Location: LI,NY
|
Even when running MQ under a domain user, the account for that particular domain user should not allow login and as such the password need not change. 
_________________
MQ & Broker admin |
|
| Back to top |
|
|
| J.D |
| Posted: Sat Dec 11, 2010 4:17 pm Post subject: |
|
|
Voyager
Joined: 18 Dec 2009
Posts: 92
Location: United States
|
The main reason for changing the user from MUSR_MQADMIN to Domain user/service account is because OAM comminicates with Active Directory as anonymous user to authorize the application user putting/getting the messages. Now, the Windows team are tightening the access to AD and they want to block the anonymous user login to AD. When access to anonymous user is blocked on AD then none of application can connect with MQ.
As part of PCI requirements, we have to change all service account passowrd every 6 months or 1 year. This is a must for all retail clients.
_________________
IBM WebSphere MQ & WAS Administrator |
|
| Back to top |
|
|
|
|
